The Glorification of Pentesters
TLDR: A wannabe defender trying to reason with the world that only appreciates pentesters
Information Security Community has been growing leaps and bounds in past couple of years/months, but what have we actually achieved in these many years of existence.
“Attacks have gone sophisticated, attackers have got massive collaboration platforms. Looking at projects like OWASP, it’s trivially simple to be an attacker.”
Like i and many others keep saying a defender needs to protect 65536 * 2 ports on each of the system under its control whereas an attacker just need one port or one way of gaining access.
Taking a step back, if we analyse infosec community. We started either 1. As a fun way to explore how a system could be used / abused
2. A way by which we can strengthen the security of the system
I think we have reached a point where we need to make a decision and decide do we want to stick with definition where we say we focus on how to use / abuse system or we decide that we want to strengthen the security of the system. Over past many years every one of us has tried to twist these definition and fit things into our own perspective. But time and again its proven that this doesn’t work the way we want it to work. So we need to be clear we want to keep exploring the systems or we want to also defend them.
You may ask How does that matters its one and the same thing. At this point let me bring out some facts, when you are exploring systems you are not worried about putting in safeguards finding brilliant solutions to complex problems, you are just creating or as everyone likes to call it discovering / identifying more problems. Largely at this point in time we glorify every attacker who is able to punch a hole in any system and we curse the devs / ops folks from the company which is hacked. But have we ever sat down and appreciated a sys admin / dev who has written a software which is not found to be vulnerable to most basic issues. Simple flat answer is No, we assume it’s the duty of developer to write good code. By same analogy it’s a duty of the attacker to find flaws in the system, what big have they achieved. They uncovered a flaw in the logic / coding practice, yes worth appreciating but a large number of times the sole purpose of hiring the person / team is to have a second eye so that we may not have missed something like this.
Do we ever think about retrospectively going back and putting a fine on every attacker who has claimed to have thoroughly tested the system, when a bug is discovered at a later stage. NO, we cover our bases stating we didn’t reached XYZ point or the field is exploratory and people will find creating ways to exploit a problem. When people can find creative ways to find bug why is defenders put to shame that they didn’t think of this defence. It’s simple the field is exploratory both sides need to keep exploring.
To be more dramatic, every Single time an attacker is praised a defender weeps in darkness as the efforts by them are neither recognized nor appreciated. Also considering the large ego attackers carry around and “I can hack anything” defenders generally tend to not boast about their own achievements. No hacking incidence for one whole year should be an achievement (as this could be attributed to the fact that the software is well written or network is well configured / monitored). However to further degrade the role of a defender we came up with terms like “everyone is hacked, it’s just a matter of realizing” and this hits the most. What if i am not, Defender is always in a state of paranoia and attackers keep basking in all the glory they can get. Much of this has risen from the realization that the world really needs legacy software / hardware to function correctly and a large number of those protocols / software / hardware designers / developers never had such elaborate thread model’s to ensure proper security control / checks.
As much as i appreciate the efforts done by the attacker groups but i can dare and rather double dog dare all attackers to switch places and realized the paranoia for once and then you will realize how easy being an attacker is. Let me elaborate this one, what i have seen mostly is a nickname hiding behind blogspot blog to claim that XYZ company can’t maintain the security, If we ask the person to maintain his / her own machine and a web application on top of it. I can bet more than 50% will fail to follow the basic principles of secure coding/deployment. It’s like **intelligent folks always have self-doubts but idiots are full of confidence. **
I am going to slightly shift focus to newest FAD “Bug (BEG) bounties“.
Let’s talk about bug bounties and how they have affected the scene, you pay big bucks to people who find flaws. ever thought of asking them to put a fix to it ( i think 1–2 bug bounty programs have that and they seen the least turn up / submissions: Refer Microsoft Blue hat program. That’s coz most of the attackers don’t have what it takes to be a defender.
You don’t believe me, Lets take a case of the favourite attack of web attackers “XSS” lots have been written about it and if you ask any attacker the response would be this is such a silly bug all they need to do is filter the input and all is good. If they can’t filter everything put CSP and a WAF. Let me put the thought process that will go through a defender’s mind. 1. Let’s filter the input. Need to raise a ticket for developer’s to identify all inputs and filter them. Same for Output. : results in cost increase : Project manager rejects the request or puts it in lower priority coz a mission critical feature needs to go live in next 5 days. 2. Ohk let me put a WAF: waf enabled on pre -prod for test, Holy smokes why is website not working. Ah “cookie contains a ‘ and WAF can’t allow it.”. Let me put and exception, what if this cookie is then used for SQL Injection.
3. Let’s Try putting CSP: After 3 hours of reading all documentation and trying out various setup. This is already too complex let me first document the whole stuff and then let me put out a process that inline scripts are not allowed. Next meeting “a big veto by developers” and guess what dev win coz they deliver something tangible and even if all works out just fine are we done. well looking at what github is working on we still seems to be miles away on the process.
This reminds me of a image posted on twitter.
Effectively what we have achieved is that we have incentivised people to find creating ways to punch holes but we are not at all incentivising people to find ways to make the wall stronger. So one side we have not progressed much on the offensive side and on the other side developers are tasked with major work every few days and hence those security task’s which take up a lot of time to get fixed but don’t show any tangible benifits have to be moved downwards.
The bottom line is if there is ever a discussion/debate between defender’s and developers, devs always win coz we have finally successfully convinced the world that when an attack happen no point preventing it, coz guess what “everyone is hacked, it’s just a matter of realizing“. Why spend “read waste” money in defensive measure. Case in point
Working in defence recently has given me the insight that companies care much less if they get owned than offence thinks they do.
— Fenrir (@semibogan) April 28, 2016
Verizon DBIR 2016 very accurately portrays a defender
“Playing a part on the blue team in information security can, to a very small degree, be compared to the lot of a hapless soldier. The soldier is told to guard a certain hill and to keep it at all costs. However, he is not told who his enemy may be, what they look like, where they are coming from, or when (or how) they are likely to strike. To ride this analogous horse a bit further, the soldier is given a hand-me-down rifle with only a few rounds of ammunition to fulfil his task. It seems a bit unfair really — even the American Revolution got Paul Revere.”
Defender is one silent player of the team which takes one for the team all the time. They live silent life and face all hostility and humiliation in hands of attacker. It’s like did you saw all the other protections on every single entry, i missed this and now i am all wrong thanks for the words.
I often see claims by attackers that i helped saving XYZ or following company. Frankly you did 1/10 of the work the actual appreciation if it needs to be given should be given to the response team which does the job of finding issue and fixing it from your lame report where you might not even have a single clue what exactly you have caused. The response team identifies the actual source of issue and works towards fixing the issue and deploys the patch. all an attacker does is report’s XYZ seems to be working differently than expected. based on my skill level XYZ stuff is possible with this. The only reason it’s all so glamorized because someone someday thought lets pay these cry-babies to find bugs for us.
A blog post original source here which is 404 now very accuratly described the infosec attacker scene:
“Most hackers could not write a web browser, a web app from scratch, would not attend the committee meetings to get a protocol to happen in the first place. Yet through some hard work and intelligence find a bug, that in some cases pops a shell, and they’re cleverer than the person who made it in the first place? That isn’t how reality works. It’s just sadly how infosec works.”
The most hastily written section of a pentest report is the recommendations sometimes bordering to refer official documentation or implement industry standard security best practices. To be honest Attackers are paid not just to find bugs but to also suggest what exactly we can do to protect ourselves. If i already knew about the bug and i still have the bugs in my code specially the easier ones (read XSS, SQLi etc) then either i am ignorant about my own shortcomings or i simply don’t care. If i do care i don’t just need a PoC i need details of what can i do to prevent it.
On top of all this no one seem to get the point that within infosec we have not yet solved two simple problems. 1. Inventory management
2. Patch Management.
If you look at most of the reports and flaws being reported the major causes circle around these two. in short knowing what we have and caring for what we have, we will be done with most of those issues. CVE / Mitre the authoritative sources for vulnerability details which is essential for patch management have not been tracking all software flaws and there is no source which can claim and substantiate the claim that all vulnerability are being tracked.
Looking at most of the pentest reports and newest fad’s bug bounty reports they simply don’t even attempt to solve the problem and if they do attempt to solve the problem most of the time they fail in it too drastically.
Now this brings me to the part were i start thinking, am i the only one thinking or talking about it, it doesn’t seems that way i see a lot of tweets pointing in these directions now.
some other folks talking on similar lines:
If I can do decent security with some stupid group policy, batch files, and crappy tools I barely get purchase approval for, there’s hope.
— SwiftOnSecurity (@SwiftOnSecurity) April 28, 2016
We need a new policy of not accepting talks like this. https://t.co/zUWRf2yPdO
— Don A. Bailey (@DonAndrewBailey) August 7, 2016
As much as I love pushing the boundaries of offense, we need to see more defensive talks on IoT. 🙂
— Don A. Bailey (@DonAndrewBailey) August 7, 2016
Dear infosec conferences. It would be nice if we could move from breaking components to securing systems.
— Wim Remes (@wimremes) May 24, 2017
a nice post by Daniel Miessler putting focus on the fact that there are less defensive talks and far more offensive stuff being thrown out in open.
So enough of ranting (reading bitching) about what’s wrong with the world. Let’s try to focus on future and see what we can do. These are some of the points that i feel need to be worked on. Feel free to suggest more options via comments.
what we as defenders can actually do:
- We need to start collaborating.
- We need to focus on making the most of community knowledge.
- We need to consolidate our efforts.
This last points needs to be explained. A large number of times i have seen big corporations writing stuff from scratch (start-ups love to release code publically) or just maintaining a custom version of software coz its used internally whereas the author might not be interested in it anymore or might not be developing it anymore. At this point there might be multiple such internal versions being maintained by multiple organizations, the need is to openly say and support the public version of code, put money where the mouth is and ensure that the product is strong enough.
I have ranted enough about the pentesters and have said a lot about them, however are all defenders good, do they have everything sorted for them. If i say yes i will be far from the facts. Here are some points that i think every defender should keep in mind:
- If you are a programmer and you don’t know how your software is deployed on server or client side you are doing it wrong.
- If you are a system administrator and you don’t know scripting and basics of programming language which are used in products you deploy you are doing it wrong.
Personally i feel the new buzzwords DEVOPS and DEVSECOPS are just gimmicky and are created to put more emphasis to what was missing. However the fact of life is if everyone in this industry follow a fundamental idea of knowing what you are dealing with if not fully then atleast at conceptual level then the world would be a much simpler and better place with lot less conflicts. On the other side i simply believe that the need is not to have more new buzz words but rather to simply “KNOW YOUR SHIT“.
If you want to draw parallels Sun Tzu wrote “Know thy self, know thy enemy. A thousand battles, a thousand victories.” The first part is “Know thy self” in battle knowing yourself is much more important. This battle that we fight on a daily basis is no less than a war and we need to treat it like a war.
Let me put it in clear if i have not said this directly above, we need more laser like focus on defensive capabilities, not adding more layers on the onion but rather practical usable doable security practices which ensure things get done the right way from the beginning
Additionally, we as normal users should start appreciating the good work a software developer might have done in getting stuff sorted. And put value or glorify the role of defender. Otherwise masses always go towards the glamorous side, which at this point is the dark side or simply offense.
Disclaimer: I don’t hate pentesting rather i do it for living, i am not suggesting that pentesting or offensive research should stop, i am mearly suggesting the defense also needs its fair share of attention.
Note: This was written long back (April 2016) but never ended up being published. So finally publishing it out now.